In computer networking, domain names help identifying locations where certain information or service can be located on a public or private network. Domain names are typically formed according to rules and procedures of the DNS. Domain names can be used for various naming and addressing purposes. In general, a domain name can be resolved to an Internet Protocol (IP) resource, such as a personal computer, a server hosting website pages, or a website page or service. Thus, the DNS can allow translating domain names (such as “www.example.com”) into the corresponding IP address (such as “123.4.56.78”) needed to establish communications over the Internet.
Traditionally, DNS servers resolve (i.e., translate to IP addresses) domain names upon receiving DNS queries associated with domain names. When a DNS server receives a query from a client, the DNS server checks if it can answer the DNS query based on data available to the DNS server. If the queried domain name matches a corresponding resource record in a local cache, the DNS server can answer without querying any other DNS servers. If no local record exists for the queried domain name, the DNS server checks if it can resolve the domain name using historical data. If a match is found, the DNS server answers based on the historical data. If the queried domain name does not find a match at the DNS server level, the query process can continue with assistance from other DNS servers.
One of the important tasks for Internet Service Providers (ISPs), malware protection providers and many other systems is to identify malicious network activities such as web-based security threats or botnets. Malicious code authors use a variety of methods to prevent authorities and users from identifying security threat sources. These methods can range from adaptive computer coding techniques to changing command and control (C&C) server locations to different infected computers. It may be difficult to detect certain malware operations, while the costs of continuously maintaining security measures, such as honeypots, and related infrastructure are high. Thus, fleeting and evolving nature of various web-based security threats requires new methods of identification of malicious servers and clients.